Closed Bug 698313 Opened 13 years ago Closed 9 years ago

Headers in chunked transfer encoding trailers are not size limited

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
7 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: shooberdiwt, Unassigned)

Details

(Whiteboard: [sg:dos])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Build ID: 20110930134335 Steps to reproduce: Sent a chunked transfer encoded HTTP response with many 10MB HTTP headers in the trailer. e.g. something along the lines of: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/plain; charset=utf-8 8 response 0 X-HEADER-1: aaa... // large header X-HEADER-2: aaa... // large header ... Actual results: Firefox consumes memory rapidly. Expected results: Large header rejected (10KB limit?)
Status: UNCONFIRMED → NEW
Component: General → Networking: HTTP
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → networking.http
Whiteboard: [sg:dos]
Group: core-security
There currently is no limit afaik on header sizes (trailers are headers too). I don't necessarily see that as a problem, maybe others disagree? It's no more of a DOS than returning any other large page that we try to render and crap out on. (actually byte for byte its probably less expensive). The 10KB suggestion is way too small at the tail.. 64KB has been shown to be too small for just cookies :)
so trailer is indeed supported by firefox at least since 2011. Then I am wondering when nsIStreamListener with nsITraceableChannel is notified, the data intercepted is transfer-encoded or transfer-decoded. If it is transfer-encoded, where is the time point, I can get the entity body with transfer decoded? Anyone knows? Thanks.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.